I believe the order of "connection" elements is important. The first one that matches is selected (if it does not have selector it matches all). That means that this "deny" connection rule would have to be first in your configuration file.

The other issue could be if the machines also have IPv6 addresses and those were actually used.